is the name of the key. Since it must be published in the zone file, it should be a subname of the zone that it is being published in. It is recommended that the keyname be the fully qualified domain name of the host so that the update-policy self works correctly. (see Section 6.2.22.4 of the BIND ARM for more information on update-policy).

The key will be stored in the file K++.private

is an identity tag to be able to differentiate between different keys under the same name.

There will also be a corresponding K++.key file that contains a DNS KEY resource record formatted for inclusion in the zone file.

One possible problem that can be encountered with dnssec-keygen is that it might use up all the entropy in /dev/random before it is done generating the key. This will make dnssec-keygen appear to hang, when in fact it is simply waiting for more entropy. One solution to this is to use the -r parameter that allows you to specify another random device, such as /dev/urandom.Configuring the DNS Server

Configuring the server also depends on which type of key you choose.TSIG Keys

The /etc/named.conf file must be edited to configure the server for dynamic update.

The first step is to configure the server to use the key. This is accomplished with the following lines in the /etc/named.conf file:

key {algorithm HMAC-MD5;secret "";};

is the name of the key chosen when the key was generated (See the previous step, Generating TSIG keys).

is the string after the Key: line in the generated key file (See the previous step, Generating TSIG keys).SIG(0) Keys

Only the zone file must be edited to configure the server for dynamic update with sig(0). No changes are needed in /etc/named.conf as the client's public, not private, key is in the zone file.

The first step is to add the generated key, using the K++.key file, to the zone file. This generated key file contains a properly formatted resource record that can be simply copy-and-pasted into the zone file.

If you are using DNSSEC signed zones, then the next step is to resign your zone.Allowing Updates

The final step is to configure the zone to allow updates using the key. The following statements should be added to the zone options block in /etc/named.conf. The simplest configuration is to add: